1www.jacksonlewis.com

IntroductionThe Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced on November 4, 2009, the filing of final identitytheft/data security regulations with the Secretary ofState’s office, the final step before the regulationstake effect on March 1, 2010. Many businesses arenow beginning to think about what they need to doto comply. This Special Report, with checklists,and our companion webinar will help busi-nesses prepare for the new regulations.More information about data privacy and securitydevelopments and resources can be found atwww.workplaceprivacyreport.com

The regulations apply to any business or individualthat owns or licenses personal information (PI) abouta Massachusetts resident, and establish minimumstandards for protecting and storing such informa-tion. One owns or licenses PI when one “receives,stores, maintains, processes, or otherwise has accessto personal information in connection with the provision of goods or services or in connection with employment.”

PI is an individual’s first name (or first initial) andlast name in combination with: (i) social securitynumber, (ii) driver’s license number, (iii) state identification number, or (iv) financial account,debit or credit card number contained in paper orelectronic format.

The regulations require covered entities develop,implement and maintain a comprehensive informa-tion security program to protect personal informa-tion. The program must be written (WISP). Inevaluating compliance, the following items shouldbe taken into account:

• the size, scope and type of business,

• the amount of resources available,

• the amount of stored data, and

• the need for security and confidentiality of both consumer and employee information.

Compliance Checklists The following checklist outlines the items required to achieve compliance with thefinal data security regulations issued in Massachusetts.

INSIDE THIS ISSUE:

Massachusetts Data SecurityCompliance Checklist:Minimum “WrittenInformation SecurityProgram” (WISP)Requirements

Additional Requirements if Personal Information isElectronically Stored orTransmitted

Management EducationalOpportunity

2

3

4

A BULLETIN ON EMPLOYMENT, LABOR, BENEFITS AND IMMIGRATION LAW FOR CLIENTS AND FRIENDS OF JACKSON LEWIS LLP

Winter 2010

All We Do Is WorkSM

Massachusetts Identity Theft/DataSecurity Regulations Effective March 1, 2010 – Are You Ready?

• SPECIAL REPORT •

In General:• Program must be in writing.• Program must be developed, implemented,

maintained and monitored.• Program must have administrative, technical,

and physical safeguards and be reasonably consistent with safeguards for protection of personal information and information of a similarcharacter set forth in any applicable state or federal regulations.

Appoint Key Person:• Designate one or more employees to maintain

the program.

Risk Assessment: • Identify and assess reasonably foreseeable internal

and external risks to the security, confidentiality,and/or integrity of personal information.

• Evaluate and improve current safeguards foraddressing identified risks through such steps as:

• ongoing employee (including temporary and contract employee) training;

• ensuring employee compliance with policies andprocedures;

• detecting and preventing security system failures.

External Employee Access: • Develop security policies addressing whether and

how employees may keep, access and transportrecords containing personal information outside of the Company’s business premises.

Discipline: • Impose discipline when the Company’s program

is violated.

Protocols for Termination ofEmployment:

• Establish procedures to immediately stop accessby terminated employees to personal information

by physical or electronic access, such as deactivatingtheir passwords and user names, changing locks,retrieving IDs, and so on.

Oversee Service Providers. • A service provider is any person that receives, stores,

maintains, processes, or otherwise is permitted accessto personal information through its provision of services directly to a person that is subject to theregulations.

To adequately oversee service providers, the regulationsrequire that covered entities:

1. Take reasonable steps to select and retain third-partyservice providers that are capable of maintainingappropriate security measures to protect personalinformation consistent with the regulations and anyapplicable federal regulations; and

2. Require such service providers by contract to imple-ment and maintain such appropriate security meas-ures for personal information; provided, however, that until March 1, 2012, a contract in place prior to March 1, 2010, will be deemed to satisfy thisrequirement even if the contract does not require the service provider to maintain the appropriate safe-guards. However, these contracts should be amendedto include similar provisions as soon as possible, asthere may be similar requirements under federal orother states’ laws (such as HIPAA or data securitylaws in Maryland, Oregon or Nevada). Contractsentered into on or after March 1, 2010, must containappropriate language.

Physical Access and Storage: • Impose reasonable restrictions upon physical access

to records containing personal information, and storage of such records and data in locked facilities,storage areas or containers.

Monitor Security Program Performance: • Establish procedure for regular monitoring to ensure

the program is operated in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information, andupgrade information safeguards as necessary.

Annual Assessment of Scope of Security Program:

• At least once per year (or whenever there is a material change in business practices that reasonablyaffects the security or integrity of records containingpersonal information), review the scope of the program’s security measures for adequacy.

Document Breach Response: • Document steps to respond to breach of security

and post-breach review of events and actions taken,if any, to make changes in program.

2www.jacksonlewis.com

Massachusetts DataSecurity ComplianceChecklist: Minimum“Written InformationSecurity Program”(WISP) RequirementsRequirements for Every WISP

EDITORIAL BOARD:

Howard M. Bloom(617) 367-0025bloomh@jacksonlewis.com

Matthew A. Porter(617) 367-0025porterm@jacksonlewis.com

Roger S. Kaplan(631) 247-4611kaplanr@jacksonlewis.com

Mei Fung So(212) 545-4032som@jacksonlewis.com

This update is provided for infor-mational purposes only. It is notintended as legal advice nor does itcreate an attorney/client relation-ship between Jackson Lewis LLPand any readers or recipients.Readers should consult counsel oftheir own choosing to discuss howthese matters relate to their indi-vidual circumstances. Reproductionin whole or in part is prohibitedwithout the express written consentof Jackson Lewis LLP.

This update may be consideredattorney advertising in somestates. Furthermore, prior resultsdo not guarantee a similar outcome.

Jackson Lewis LLP represents man-agement exclusively in workplacelaw and related litigation. Ourattorneys are available to assistemployers in their complianceefforts and to represent employersin matters before state and federalcourts and administrative agencies.For more information, please con-tact the attorney(s) listed or theJackson Lewis attorney with whomyou regularly work.

© 2010, Jackson Lewis LLP

JACKSON LEWIS MASSACHUSETTS OFFICE

Jackson Lewis LLP75 Park Plaza, 4th floorBoston, MA 02116Phone: (617) 367-0025Fax: (617) 367-2155www.jacksonlewis.com

The additional elements below apply at a minimum, and to the extent feasible:

• to every person that owns or licenses personalinformation about a resident of theCommonwealth and electronically stores or transmits such information, and

• be part of a security system established and maintained by such person that covers the per-son’s computers, including any wireless system.

Implement Secure User AuthenticationProtocols that:

• control user IDs and other identifiers;• reasonably secure method of assigning and

selecting passwords, or use of unique identifiertechnologies, such as biometrics or tokendevices;

• control of data security passwords to ensure thatsuch passwords are kept in a location and/or format that does not compromise the security of the data they protect;

• restrict access to active users/user accounts only;and

• block access to user identification after multipleunsuccessful attempts to gain access or the limitation placed on access for the particular system.

Implement Secure Access Control Measures that:

• restrict access to personal information to thosewho need such information to perform their jobduties; and

• assign unique identifications plus passwords,which are not vendor supplied default pass-words, to each person with computer access,that are reasonably designed to maintain theintegrity of the security of the access controls.

Encryption: • Encrypt all transmitted records and files

containing personal information that willtravel across public networks and transmitwirelessly.

Mandatory Encryption for PortableDevices:

• Encrypt all laptops or other portabledevices that store personal information.

Monitor IT System Use and Access: • Perform reasonable monitoring for

unauthorized use of or access to personalinformation.

Firewall/Malware/Virus Protection: • Implement reasonably up-to-date firewall,

system security agent software, malwareand reasonably up-to-date patches and virusdefinitions that are reasonably designed tomaintain the integrity of the personal infor-mation on a system connected to Internet.System also should be designed to receivecurrent security updates on a regular basis.

Training: • Train and educate employees on the proper

use of the computer security system and the importance of personal informationsecurity.

3www.jacksonlewis.com

The following checklist outlines additional items for electronically stored or transmitted personal information.

Additional Requirementsif Personal Information is Electronically Stored or Transmitted

4www.jacksonlewis.com

To update contact information, orfor any other request or commentregarding your complimentary subscription to this publication,please send an e-mailto:info@jacksonlewis.com;

or postal mail to: Jackson Lewis LLP, 59 MaidenLane, 39th Floor, New York, NY10038, Attn: Client Services.

Please include the title of this publication in all correspondence.

Jackson Lewis LLP represents management exclusively in employment, labor, benefits andimmigration law and related litigation.

The firm has 45 offices and more than 600 attorneys.

Jackson Lewis represents employers before state and federal courts and administrative agencies on a wide range of issues, including discrimination,wrongful discharge, wage/hour, affirmative action,immigration, and pension and benefits matters.Jackson Lewis negotiates collective bargainingagreements, participates in arbitration proceedingsand represents union-free and unionized employersbefore NLRB and other federal and state agencies.The firm counsels employers in matters involvingworkplace health and safety, family and medicalleaves and disabilities.

MANAGEMENT EDUCATIONAL OPPORTUNITYFREE WEBINAR:

Massachusetts Identity Theft/Data Security RegulationsEffective March 1, 2010 – Are You Ready?

Access the webinar at: http://www.jacksonlewis.com/events/webinars.cfm

Jackson Lewis is pleased to provide employers with this Special Report and the companion webinar.

Albany, NY(518) 434-1300

Albuquerque, NM(505) 878-0515

Atlanta, GA(404) 525-8200

Baltimore, MD(410) 415-2000

Birmingham, AL(205) 332-3100

Boston, MA(617) 367-0025

Chicago, IL(312) 787-4949

Cincinnati, OH(513) 898-0050

Cleveland, OH(216) 750-0404

Dallas, TX(214) 520-2400

Denver, CO(303) 892-0404

Detroit, MI(248) 936-1900

Greenville, SC(864) 232-7000

Hartford, CT(860) 522-0404

Houston, TX(713) 650-0404

Indianapolis, IN(317) 489-6930

Jacksonville, FL(904) 638-2655

Las Vegas, NV(702) 921-2460

Long Island, NY(631) 247-0404

Los Angeles, CA(213) 689-0404

Memphis, TN(901) 462-2600

Miami, FL(305) 577-7600

Minneapolis, MN(612) 341-8131

Morristown, NJ(973) 538-6890

New Orleans, LA(504) 208-1755

New York, NY(212) 545-4000

Norfolk, VA(757) 648-1448

Omaha, NE(402) 391-1991

Orange County, CA(949) 885-1360

Orlando, FL(407) 246-8440

Philadelphia, PA(267) 319-7802

Phoenix, AZ(602) 714-7044

Pittsburgh, PA(412) 232-0404

Portland, OR(503) 229-0404

Portsmouth, NH(603) 559-2700

Providence, RI(401) 490-3444

Raleigh-Durham, NC(919) 854-0044

Richmond, VA(804) 649-0404

Sacramento, CA(916) 341-0404

San Diego, CA(619) 573-4900

San Francisco, CA(415) 394-9400

Seattle, WA(206) 405-0404

Stamford, CT(203) 961-0404

Washington, D.C. Region (703) 483-8300

White Plains, NY(914) 328-0404

JACKSON LEWIS OFFICES: